06-20-2011 09:03 PM - edited 03-04-2019 12:46 PM
Hi Again,
After some very consructive comments by Paolo I was wondering if anyone would like to share any comments on how to improve the performance of my routers. Below is a typical config I use for 857 and 877 routers i deploy. I realise it isn't even close to perfect. But, me being a creature of habit, I have never got around to figuring out why some of the config is slowing the router down so much. So...
I greatly appreciate all comments and help.
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
no service dhcp
!
hostname Users857w
!
boot-start-marker
boot-end-marker
!
logging count
logging userinfo
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone ESTime 10
clock save interval 8
!
crypto pki trustpoint TP-self-signed-1114035
---Snip---
!
crypto pki certificate chain TP-self-signed-1114035
----Snip----
quit
dot11 syslog
!
dot11 ssid XXXXgoona
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxx
!
no ip source-route
!
!
ip cef
ip inspect name Inspect_Out dns
ip inspect name Inspect_Out ftp
ip inspect name Inspect_Out pptp
ip inspect name Inspect_Out https
ip inspect name Inspect_Out imap
ip inspect name Inspect_Out pop3
ip inspect name Inspect_Out rcmd
ip inspect name Inspect_Out realaudio
ip inspect name Inspect_Out esmtp
ip inspect name Inspect_Out tftp
ip inspect name Inspect_Out tcp router-traffic
ip inspect name Inspect_Out udp router-traffic
ip inspect name Inspect_Out icmp router-traffic
no ip bootp server
ip domain name XXXXgoona.local
ip name-server 139.130.4.4
ip name-server 203.50.2.71
login block-for 300 attempts 4 within 60
login delay 7
login quiet-mode access-class Allow_Quiet_Mode
login on-failure log
login on-success log
!
username theuser privilege 15 secret 5 $1$cd4O$lA8
!
archive
log config
hidekeys
!
ip ssh version 2
!
bridge irb
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid XXXXgoona
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Ramtech LAN Interface
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
description Ramtech Westnet
ip address negotiated
ip access-group Internet_Inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect Inspect_Out out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXgoo10@direct.telstra.net
ppp chap password 7 xxxx
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat source static tcp 192.168.x.x 25 interface Dialer0 25
ip nat source static tcp 192.168.x.x 443 interface Dialer0 443
ip nat source static tcp 192.168.x.x 987 interface Dialer0 987
ip nat source static tcp 192.168.x.x 3389 interface Dialer0 3389
ip nat inside source list Allow_NAT interface Dialer0 overload
!
ip access-list standard Allow_LAN_Access
permit 192.168.1.0 0.0.0.255
ip access-list standard Allow_NAT
permit 192.168.1.0 0.0.0.255
ip access-list standard Allow_Quiet_Mode
remark IPs allowed during quietmode lockdown
permit 192.168.1.0 0.0.0.255
!
ip access-list extended Internet_Inbound
remark --- Anyone is allowed SMTP to the server
permit tcp any host 110.142.x.x eq smtp
permit tcp any host 110.142.x.x eq 443 log
permit tcp any host 110.142.x.x eq 987 log
permit tcp any host 110.142.x.x eq 1723 log
permit gre any any log
permit tcp host 202.173.x.x host 110.142.x.x eq 22 log
permit tcp host 202.173.x.x host 110.142.x.x eq 3389
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 route ip
alias exec tl0 terminal length 0
alias exec ps show process cpu
alias exec top show process cpu sort 5m | excl (0.00% 0.00% 0.00%)
alias exec version show version | include image
alias exec uptime show version | include uptime|ROM[^:]|restarted
alias exec hist show process cpu history
alias exec dsl show dsl interface atm0 | include DSL[^:]|dB|Activat|LED|Speed
!
line con 0
no modem enable
transport preferred none
transport output all
line aux 0
transport output all
line vty 0 2
exec-timeout 20 0
privilege level 15
transport preferred none
transport input telnet
line vty 3 4
exec-timeout 20 0
privilege level 15
transport preferred none
transport input ssh
transport output all
!
scheduler max-task-time 5000
sntp server 202.173.x.x
sntp server 128.250.x.x
sntp server 202.72.x.x
06-20-2011 09:19 PM
Remove inspection.
06-20-2011 09:24 PM
Thanks for the reply,
As per original post, when I do that, all NAT traffic stops. what else do i need to do?
Do i have to change the below line some how?
ip nat inside source list Allow_NAT interface Dialer0 overload
06-21-2011 01:19 AM
Hi,
If you only remove inspection, you will still have the inbound ACL on Dialer which will drop most traffic. With inspection, traffic initiated from the inside will be let through like this.
If you decide to remove inspection, you need to modify the ACL: Internet_Inbound to allow traffic.
Warm Regards,
Rose
06-21-2011 04:25 PM
Thanks Rose,
I know I sound dumb here but I still don't understand what I need to change on the internet inbound acl to allow nat traffic to get back in. An example or sample ACL would be apprecaited if it were available.
06-22-2011 02:38 AM
Hi,
It is a bit more complicated as it depends on what kind of traffic you would like to let through and you probably know this better.
Currently we have:
ip access-list extended Internet_Inbound
remark --- Anyone is allowed SMTP to the server
permit tcp any host 110.142.x.x eq smtp
permit tcp any host 110.142.x.x eq 443 log
permit tcp any host 110.142.x.x eq 987 log
permit tcp any host 110.142.x.x eq 1723 log
permit gre any any log
permit tcp host 202.173.x.x host 110.142.x.x eq 22 log
permit tcp host 202.173.x.x host 110.142.x.x eq 3389
For example, if you want to add HTTP traffic (external HTTP server), we would need to add:
permit tcp any eq 80 host
or
permit tcp any eq 80 any (this would let any HTTP traffic through though)
Warm Regards,
Rose
06-26-2011 02:50 PM
Thanks Rose.
I obviously am explaining this poorly. What I was trying to establish is how get rid of CBAC whilst maintaining an ingress ACL. But I think I have that figured now. Sorry for the confusion.
Sent from Cisco Technical Support iPhone App
06-27-2011 02:06 AM
Hi,
I am glad to hear that it got sorted out and sorry for the confusion on my part as well.
If everything is fine, it might be better to mark the thread as "answered" so others are aware of it too.
Cheers,
Rose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide